4 files changed, 53 insertions, 11 deletions

diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 85aa81553..fdc2edf39 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -419,6 +419,17 @@ Logging driver specific options.  Used to set the path to the container log file
 
 `--log-opt path=/var/log/container/mycontainer.json`
 
+**--log-opt**=*tag*
+
+Set custom logging configuration.  Presently supports the `tag` option
+which specified a custom log tag for the container.  For example:
+
+`--log-opt tag="{{.ImageName}}"`
+
+It supports the same keys as `podman inspect --format`.
+
+It is currently supported only by the journald log driver.
+
 **--mac-address**=*address*
 
 Container MAC address (e.g. 92:d0:c6:0a:29:33)
@@ -575,7 +586,7 @@ To make a pod with more granular options, use the `podman pod create` command be
 Give extended privileges to this container. The default is *false*.
 
 By default, Podman containers are
-“unprivileged” (=false) and cannot, for example, modify parts of the kernel.
+“unprivileged” (=false) and cannot, for example, modify parts of the operating system.
 This is because by default a container is not allowed to access any devices.
 A “privileged” container is given access to all devices.
 
@@ -584,6 +595,8 @@ to all devices on the host, turns off graphdriver mount options, as well as
 turning off most of the security measures protecting the host from the
 container.
 
+Rootless containers cannot have more privileges than the account that launched them.
+
 **--publish**, **-p**=*port*
 
 Publish a container's port, or range of ports, to the host
diff --git a/docs/source/markdown/podman-exec.1.md b/docs/source/markdown/podman-exec.1.md
index d46427c91..fc67211d1 100644
--- a/docs/source/markdown/podman-exec.1.md
+++ b/docs/source/markdown/podman-exec.1.md
@@ -43,7 +43,19 @@ Pass down to the process N additional file descriptors (in addition to 0, 1, 2).
 
 **--privileged**
 
-Give the process extended Linux capabilities when running the command in container.
+Give extended privileges to this container. The default is *false*.
+
+By default, Podman containers are
+"unprivileged" and cannot, for example, modify parts of the operating system.
+This is because by default a container is only allowed limited access to devices.
+A "privileged" container is given the same access to devices as the user launching the container.
+
+A privileged container turns off the security features that isolate the
+container from the host. Dropped Capabilities, limited devices, read/only mount
+points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
+
+Rootless containers cannot have more privileges than the account that launched them.
+
 
 **--tty**, **-t**
 
diff --git a/docs/source/markdown/podman-generate-systemd.1.md b/docs/source/markdown/podman-generate-systemd.1.md
index b81e68a46..4d3f9ba48 100644
--- a/docs/source/markdown/podman-generate-systemd.1.md
+++ b/docs/source/markdown/podman-generate-systemd.1.md
@@ -22,11 +22,16 @@ Generate files instead of printing to stdout.  The generated files are named {co
 
 Use the name of the container for the start, stop, and description in the unit file
 
+**--new**
+
+Create a new container via podman-run instead of starting an existing one.  This option relies on container configuration files, which may not map directly to podman CLI flags; please review the generated output carefully before placing in production.
+
 **--timeout**, **-t**=*value*
 
 Override the default stop timeout for the container with the given value.
 
 **--restart-policy**=*policy*
+
 Set the systemd restart policy.  The restart-policy must be one of: "no", "on-success", "on-failure", "on-abnormal",
 "on-watchdog", "on-abort", or "always".  The default policy is *on-failure*.
 
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index e8744de35..d9fdd9650 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -426,10 +426,21 @@ Logging driver for the container.  Currently available options are *k8s-file* an
 
 **--log-opt**=*path*
 
-Logging driver specific options.  Used to set the path to the container log file.  For example:
+Set custom logging configuration.  Presently supports the `tag` option
+which specified a custom log tag for the container.  For example:
 
 `--log-opt path=/var/log/container/mycontainer.json`
 
+**--log-opt**=*tag*
+
+Specify a custom log tag for the container.  For example:
+
+`--log-opt tag="{{.ImageName}}"`
+
+It supports the same keys as `podman inspect --format`.
+
+It is currently supported only by the journald log driver.
+
 **--mac-address**=*address*
 
 Container MAC address (e.g. `92:d0:c6:0a:29:33`)
@@ -588,15 +599,16 @@ If a container is run with a pod, and the pod has an infra-container, the infra-
 
 Give extended privileges to this container. The default is *false*.
 
-By default, Podman containers are “unprivileged” (=false) and cannot,
-for example, modify parts of the kernel. This is because by default a
-container is not allowed to access any devices. A “privileged” container
-is given access to all devices.
+By default, Podman containers are “unprivileged” (=false) and cannot, for
+example, modify parts of the operating system.  This is because by default a
+container is only allowed limited access to devices.  A "privileged" container
+is given the same access to devices as the user launching the container.
 
-When the operator executes **podman run --privileged**, Podman enables access
-to all devices on the host, turns off graphdriver mount options, as well as
-turning off most of the security measures protecting the host from the
-container.
+A privileged container turns off the security features that isolate the
+container from the host. Dropped Capabilities, limited devices, read/only mount
+points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
+
+Rootless containers cannot have more privileges than the account that launched them.
 
 **--publish**, **-p**=*port*